PEAPv0: Added crypto_binding configuration option (part of phase1)

crypto_binding=# in phase1 network parameter can now be used to change the
PEAPv0 cryptobinding behavior (0 = do not use, 1 = optional (default),
2 = required).

src/eap_peer/eap_config.h

@@ -350,6 +350,12 @@ struct eap_peer_config {
 	 * fast_pac_format=binary option can be used to select binary format
 	 * for storing PAC entires in order to save some space (the default
 	 * text format uses about 2.5 times the size of minimal binary format).
+	 *
+	 * crypto_binding option can be used to control PEAPv0 cryptobinding
+	 * behavior:
+	 * 0 = do not use cryptobinding
+	 * 1 = use cryptobinding if server supports it (default)
+	 * 2 = require cryptobinding
 	 */
 	char *phase1;
 

src/eap_peer/eap_peap.c

@@ -101,6 +101,17 @@ static int eap_peap_parse_phase1(struct eap_peap_data *data,
 			   "receiving tunneled EAP-Success");
 	}
 
+	if (os_strstr(phase1, "crypto_binding=0")) {
+		data->crypto_binding = NO_BINDING;
+		wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding");
+	} else if (os_strstr(phase1, "crypto_binding=1")) {
+		data->crypto_binding = OPTIONAL_BINDING;
+		wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding");
+	} else if (os_strstr(phase1, "crypto_binding=2")) {
+		data->crypto_binding = REQUIRE_BINDING;
+		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
+	}
+
 	return 0;
 }
 

wpa_supplicant/wpa_supplicant.conf

@@ -387,6 +387,11 @@ fast_reauth=1
 #	challenges (by default, it accepts 2 or 3)
 #	result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
 #	protected result indication.
+#	'crypto_binding' option can be used to control PEAPv0 cryptobinding
+#	behavior:
+#	 * 0 = do not use cryptobinding
+#	 * 1 = use cryptobinding if server supports it (default)
+#	 * 2 = require cryptobinding
 # phase2: Phase2 (inner authentication with TLS tunnel) parameters
 #	(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
 #	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)